Responsiveness: I notified RockYou and Facebook of this hole on Sep. 14th, and have reminded Facebook a few times since that it remains unpatched. I’ve received no communication from RockYou. Update: Facebook contacted me again this evening and said RockYou had deployed a patch, which I have confirmed.

Today, a credit union in St. Louis, MO called Vantage Credit Union announced that they are offering a service through Twitter called tweetMyMoney to conduct online banking. Banking credentials, PINs and account information are not passed through tweets made via direct message to the @myvcu Twitter account (from the FAQ listed on the bank’s website), only commands to get account balance, recent transactions, etc.

However, there are a few potential security issues/concerns with this type of service. While it seems that VCU has made this system with good intentions, most of these concerns center around the fact that you are putting in requests for account information and even transferring money to other accounts through Twitter which is a third-party service not owned or managed by the bank.

Plain and simple, Twitter is a third-party service. When you send a direct message (DM) to another Twitter user this message is stored on Twitter’s servers. Not the banks. The bank is simply retrieving these messages. You should never have any expectation of privacy from DMs *at all*. Sure, they are “private” to you and the user you are sending it to but think about who on Twitter’s end might be able to view these DMs. Remember, security at Twitter is not very important currently as we have seen severaltimes in very recent history.

What about the scenario of a local “man-in-the-middle” attack where someone could be sniffing your network traffic to modify your banking requests? A simple attack like this could easily compromise the users Twitter account. Guess what, people like to reuse user id’s and passwords…we all know where that could lead to. I am not sure if they are using any form of two-factor authentication for their online banking application so you may only need a login id and password to access a compromised online banking account. Again, not sure this is the case with VCU but yes, some banks are still using single factor authentication!

How about the security of the @myvcu Twitter account you send your direct messages to? Attackers *will* target this account, it’s only a matter of time. You are trusting that the folks at VCU are properly securing this account and there are no vulnerabilities or exploits on the Twitter site to compromise the account as well. It also looks like this account is used for communicating with customers…it could be possible that these credentials could be phished and/or compromised through multiple avenues of attack.

I question thecorrespondence authentication codes that they have put in place. Relying on the user to change these multiple codes is an interesting choice. I could see this being spoofed quite easily.

Lastly, the users of this system could also be targeted if say a user accidentally tweeted something like “#l5d 7” to their followers instead of by DM (known as #dmfail)? Attackers can easily script a bot to look for these patterns and target these users.

I don’t want to knock the folks at VCU as it seems that they are a very “progressive” bank and it looks like they want to push the envelope of new technology. My opinion is that it just seems that there are too many points of security “fail” in this system. Potential failures in the Twitter service, @myvcu account and Twitter users of the VCU system in addition to the third-party privacy concerns all make for something that you shouldn’t be trusting your online banking to. Social networks are not for online banking in any form…srsly.

This is the second episode of the Social Media Security Podcast recorded September 25, 2009. This episode was hosted by Scott Wright, Tom Eston and our new co-host Kevin Johnson. Below are the show notes, links to articles and news mentioned in the podcast:

Introducing our new co-host, Kevin Johnson. Kevin is a Senior Security Analyst for InGuardians and is also an instructor for the SANS Institute, teaching both SEC504: Hacker Techniques, Exploits, and Incident Handling and SEC542: Web App Penetration Testing and Ethical Hacking courses.

Kevin gives a great non-technical overview of a web application vulnerability called Cross-site Scripting (XSS). Many of the Facebook applications we found in the “month of Facebook bugs” were vulnerable to XSS. Kevin describes what XSS is, how it works and how dangerous this vulnerability is to social networking applications like Facebook.

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. You can also subscribe to the podcast now in iTunes! Thanks for listening!

Responsiveness: I received no communication at first from the developers, but Facebook did. The hole was patched about a week after notification. After patching, the developer get in touch to confirm the fix.